Vulnerability
NetProwler
Affected
Symantec/Axent NetProwler 3.5.x
Description
Martin O'Neal (Corsaire Limited Security Advisory) found
following. The aim of this document is to clearly define some
potentially unsound password practises within the NetProwler
application environment as provided by Symantec/Axent.
The latest version of the NetProwler intrusion detection product
comes as a three-tiered architecture, consisting of agents, a
management component, and a console. Access between the
components is achieved via channels that are protected by
passwords, which have several weak defaults and unnecessary
restrictions.
The default password chosen to restrict access to the management
tier is "admin", which apart from being weak, is not required to
be changed during the install process (the documentation does
recommend changing this, but in the real world this might
potentially be overlooked).
The password entered into the agent tier must be within 8-16
characters long, and does not seem to be restricted as to which
keyboard characters are entered. The manager component needs to
connect to the agent as part of its normal operation, and to
achieve this, the agent password must be entered. However, the
manager interface unnecessarily restricts the use of the |"\':*?<>
characters, reducing the potential keyspace available and making
the task of brute forcing passwords easier.
The management component itself is connected to a local MySQL
database via ODBC. The passwords for these connections are by
default blank (again, the documentation does recommend changing
this, but in the real world this might potentially be overlooked).
Solution
As many of us have seen in the flesh, installations are often
carried out with default values. Sometimes with the intention of
going back and doing it 'properly' when the opportunity arises
(though this might not happen for some time, if ever).
Manufacturers can help this situation by enforcing good security
practise at installation time. Requiring strong passwords, and
selecting good default values for critical metrics.
In this particular circumstance; follow the recommendations in the
documentation and change the passwords!